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Abstract 



We consider the problem where tt is an unknown permutation on {0, 1, . . . , 2™ — 1}, 
yo 6 {0, 1, . . . ,2 n — 1}, and the goal is to determine the minimum r > such that 
' n ' r (yo) = Uo- Information about tt is available only via queries that yield ir x {y) from 
any x 6 {0, 1, . . . , 2 m — 1} and y £ {0, 1, . . . , 2 n — 1} (where m is polynomial in n). 
The main resource under consideration is the number of these queries. We show that 
the number of queries necessary to solve the problem in the classical probabilistic 
, bounded-error model is exponential in n. This contrasts sharply with the quantum 

bounded-error model, where a constant number of queries suffices. 

7— I , 

o\ 1 Introduction 

Let 7r be an arbitrary permutation on {0, 1, . . . , 2™ — 1}. For any y G {0, 1, . . . , 2 n — 1}, 
define the order of y with respect to tt, denoted as ord n (y), as the minimum r > such that 
n r (y) = y. Define / : {0, 1, . . . , 2 m -l} x {0, 1, . . . , 2"-l} - {0, 1, . . . , 2 m -l} x {0, 1, . . . , 2»-l} 

2 



as 

f(x,y) = (x,n*(y)). (1) 

Note that / can be regarded as a permutation on {0, l} m x {0, l} n = {0, l} m+n . 

Define the order-finding problem as follows. As input, one is given / as a black-box. That 
is, one can perform queries that return f(x,y) in response to (x, y) G {0, 1, . . . , 2 m — 1} x 
{0, 1, ... , 2 n — 1}. One is also given an element yo G {0, 1, ... , 2 n — 1}. The goal is to determine 
ord„(yo). The resource under consideration is the number of queries performed. 

Shor's remarkable algorithm for integer factorization on a quantum computer [0 is based 
on solving the modular order-finding problem. In this problem, the input is an n-bit integer 
iV and also an integer a such that < a < N and gcd(a, N) = 1. The goal is to find the 
minimum r > such that a r mod N — 1. This is equivalent to a specialized instance of the 
order-finding problem defined above with yo = 1, and 

7r i' 7 .\ _ / M mod b i f < y < N . . 

[y) ~\y HN<y<2". [Z) 
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The quantum algorithm in M actually solves the more general order-finding problem with 
m = 2n, and it accomplishes this with only two queries and 0(n 2 ) auxiliary operations 
(measured in terms of, say, two-qubit quantum gates). 

We investigate the classical query complexity of the general order-finding problem, and 
our main results are the following. 

Theorem 1: Any classical deterministic procedure for the order- finding problem requires 
Q(^J^) queries (assuming m > n). 

Theorem 2: Any classical probabilistic procedure for the order-finding problem requires 
f2( queries if the success probability is bounded above zero (assuming m > n). 

In particular, when m = 2n, the quantum vs. classical query complexity is 0(1) vs. 
in the bounded-error model. A comparison with other known quantum vs. classical 
query separations in the bounded-error model is given in Table 1. 



Table 1: Comparison of quantum vs. classical separations for query prob- 
lems in the bounded-error model. 
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Our classical lower bounds for order-finding are exponential whenever m is polynomial in 
n (and even for some settings of m that are exponentially larger than n, such as m = 2 n / 2 ). 

It is sometimes stated informally that the "period-finding" task performed by the quan- 
tum Fourier transform in Shor's algorithm |7j cannot be accomplished efficiently by any 
classical method. Theorem 2 can be viewed as a confirmation of this in a formal settingfj 

It should be noted that classical order-finding methods that are not entirely trivial exist, 
since it can be advantageous to perform queries that request it x (y) where x is much larger 
than 2 n . For example, consider the case where n = 4 and m = 7, so the potential values of 
ord 7r (?/o) are {1, 2, ... , 16}. We first state the following lemma, which is simple to prove. 

Lemma 3: n x {y) = y if and only if ord n (y) \ x. 

Now, after a single query requesting 7i 90 (y ) is performed, the possible values of ord^^o) 
are reduced by a factor of two: if vr 90 (?/o) = 2/o then ord^(|/o) G {1,2,3,5,6,9,10,15}; 
otherwise, ord„-(|/o) G {4, 7, 8, 11, 12, 13, 14, 16}. This process can be continued. For example, 
suppose that vr 90 (?/o) 7^ Vo- Then let the second query request ir 56 (y ). If vr 56 (?/o) = yo then 
ordTrd/o) G {4, 7, 8, 14}; otherwise, ord„-(?/o) G {11, 12, 13, 16}. It is straightforward to extend 
this to an algorithm that, for these settings of n and m, always deduces ord 7r (?/o) with four 
queries. 

^Jn the context of the modular order-finding problem, no interesting classical lower bound is known, and 
such a lower bound would constitute a major breakthrough in computational complexity theory. 
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Theorems 1 and 2 imply, among other things, that the binary splitting which occurs in 
the above example cannot occur for larger values of n. Informally, the basic idea behind 
the proofs is that there are many potential values of ord^T/o) which are large primes, and 
an i G {0, 1, . . . , 2 m — 1} cannot have too many of these as divisors. Thus, on average, a 
query of the form 7T x (y) eliminates very few of these values. The technicalities in the proofs 
arise from considering the ways that information can accumulate from a sequence of several 
queries. 

Formally, the procedures that we are analyzing are decision trees, which have a query 
at each internal node, and a child node corresponding to each possible outcome of that 
query. Each leaf has an output value associated with it. The execution of a decision tree 
is a path from the root to a leaf that follows the outcomes of the queries. The depth of 
the tree corresponds to the number of queries of the procedure (for a worst-case input). A 
randomized decision tree represents a decision precedure that is allowed to flip coins and have 
its behavior depend on the outcomes. It can be defined formally as a probability distribution 
on a set of deterministic decision trees. 



2 Lower bound for deterministic decision trees 

In this section, we prove Theorem 1. The proof is based on the evasive method. Let the query 
algorithm (decision tree) be fixed and construct a sequence of responses to queries which are 
consistent with at least two permutations m and n 2 such that ord 7ri (yo) 7^ ord n2 (yo). Then 
the length of this sequence is a lower bound on the query complexity of the problem. 
Define the set 

R = { r : r is prime and 2 n_1 < r < 2 n }. (3) 

We will consider the restricted set of permutations, for which ord 7r (?/o) £ R- This is not a 
very severe restriction because, by the Prime Number Theorem (see, for example, 0), the 
following is a lower bound on the size of R. 

Lemma 4: The size of R is at least as—, where a = 0.721 (for sufficiently large n). 

Intuitively, the next lemma asserts that, since the elements of R are primes of significant 
size, the number that are eliminated by a query is not very large. 

Lemma 5: For any x <2 h the number of elements of R that divide x is at most -Ar. 

Proof: If x contains more than divisors from R then x > (2 n ~ 1 )n = ^ = 2 h , a contradic- 
tion. I 

Now, to construct the evasive sequence of responses, it is helpful to have a systematic 
way of keeping track of the evolution of information about the unknown permutation 7r 
that unfolds as the queries occur. Define a chain as a weighted linked-list of the form 
illustrated in Figure 1, where k < 2 n , y 1 , y 2 , . . . ,yk are distinct elements of {0, 1, ... , 2" — 1}, 
and u>i, . . . , Wk-i G {0, 1, ... , 2 m — 1}. A link with weight Wt from y t to y i+ i indicates that 
R^iVi) = Vi+i- Several other relationships follow by transitivity: TC Wi+ "' +Wj - 1 (y i ) = yj, for 
each i,j G {1,2, ... ,k} with i < j. After each query is made and responded to, the chain is 
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Figure 1: A chain of length k. 

adjusted so as to contain all properties of 7r that have been determined up to that point in 
the execution of the query algorithm. 

Call a query internal if it requests n x (y), where y G {y±, . . . , yk}, or if it is the very first 
query. There are two possibilities with an internal query. One is that all the information 
about the response is already contained in the existing chain, in which case this information 
is simply returned and the chain does not need to be adjusted. The second possibility is 
that the information is not yet determined by the existing chain. An example is the query 
requesting 7r x (yi), where W\ < x < W\ + w 2 - In this case, the information returned is some 
(arbitrary) y G" {yi, . . . , y^} and the chain is updated to reflect this. For the given example, 
the updated chain would contain a new element between element y 2 and y%. Note that the 
property that the weights are all in {0, 1, . . . , 2 m — 1} is preserved. We will also have to 
consider external (i.e. non-internal) queries, requesting n x (y), where y £ {y±, . . . ,yk}, but 
we postpone this until later. 

Suppose that, after a number of queries, the resulting chain is that of Figure 1. Thus, is 
can be any permutation consistent with this chain. The elements of the chain must all be in 
the same cycle of n. What are the possible sizes of this cycle? 

Lemma 6: For any r G R, the chain of Figure 1 is consistent with cycle size r if and only 
if r I Wi + • • ■ + Wj-i for all i,j G {1,2, ... ,k} with % < j. 

Proof: For the "only if" direction, if r | Wi + ■ ■ ■ + Wj-\ then, by Lemma 3, yi = yj, 
which contradicts the fact that is distinct from yj. For the "if" direction, suppose that 
t I Wi + • • - + Wj-i (for all i < j) and map the chain onto a cycle of size r. Then, for all i < j, 
yi will not collide with yj, since, by Lemma 3, this would imply that r \wi + ■ ■ ■ + Wj-i. I 

Let us now consider how many cycle sizes r G R are consistent with the chain of Figure 1. 
There are fc ( fc ~ 1 ^ < values of i,j G {1,2, ... ,k} with i < j. For each such pair, Wi + 
Wi + i + • • • + Wj-i < k2 m < 2 n+m , so, by Lemma 5, the number of its divisors that reside in 
R is at most Therefore, by Lemma 4, at least a— — ^/^f 122 -^) different values in R 

n—l i J i n 2 \ n— 1 / 

are consistent with the chain of Figure 1. It follows that r is not uniquely determined until 
a— - ^/c 2 ( !2i± ?) < 2 which means 

n 2 V n—l ' 

* > i^f) ^ n(v^). (4) 

We now address the case of external queries. For an external query requesting 7r x (y), where 
V & {yii ■ ■ ■ iVk}, U might not be in the cycle containing the elements of the existing chain. 
Or y might be in this cycle, but at an unspecified place. This information could be recorded 
by starting a new chain, and the resulting data structure after several queries might consist 
of several chains. To simplify the evasive procedure, the following two steps are performed. 
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First, a new element y is added to the beginning of the chain with a weight of 1. Then the 
procedure for an internal query is followed. Note that the resulting chain actually specifies 
more information about tt than revealed by the queries (since the queries do not reveal that 
7r l (y) = yi). This is not a problem because what we are using is the fact that the chain 
contains at least as much information about tt as the queries have revealed. After k (internal 
or external) queries, the result is a single chain of length at most 2k. It follows that an 
evasive sequence of length Q(^j2 n /m) exists, completing the proof of Theorem 1. 

3 Lower bound for randomized decision trees 

To prove Theorem 2, we use the game theoretic approach of Yao 0, and exhibit a probability 
distribution on the set of permutations on {0, 1, ... ,2 n — 1} for which every deterministic 
decision tree must make f2(^^) queries in order to determine r with probability at least 
| (say). It then follows that, for any randomized decision tree (which corresponds to a 
probability distribution on deterministic decision trees), ^(77=) queries are necessary to 
determine r with probability at least |. 

Define a collision as any query requesting Tc x (y) with x > whose response is y (i.e. 
ir x (y) = y). It suffices to show that f2(^^-) queries are necessary to obtain a collision with 
probability at least |. This is because any execution of a decision tree that correctly deter- 
mines r can be adjusted to include a collision with at most one additional query (requesting 
vr r M). 

Assign a probability distribution to the set of permutations on {0, 1, ... , 2 n — 1} as follows. 
First (assuming for convenience that n is divisible by 3), choose an order r uniformly from 
the set 

R' = { r : where r is prime and 2 n — 2 2n / 3 < r < 2 n }. (5) 

Estimating the size of R' is more subtle than for R; however, sufficient lower bounds do exist 
(the relevant result is implicit in ||, explicitly stated in ||, and the value value of /3 in the 
lemma below is from [0]). 

Lemma 7 [@, [5|, §]: The size of R! is at least ft^^—-, where (5 — ^ (for sufficiently large n). 

Once r is chosen, the generation of tt proceeds as follows. Let tt consist of two cycles, one 
of size r and one of size s = 2 n — r. The r-cycle consists of r randomly selected elements 
of {0, 1, ... , 2 n — 1} inserted in a random order, and the s-cycle consists of the remaining s 
elements of {0, 1, . . . , 2 n — 1} inserted in a random order. With probability at least 1 — 2~"/ 3 , 
yo is in the r-cycle. The permutation tt can be explicitly represented by an array A = 
(Aq, Ax, . . . , A2«-i) and the value r with the understanding that s = 2 n —r and 

vr^) = |t +X)m ° dr -f°f^on (6) 

[ ^-((i-r+x) mod s)+r II f S * < ^ • 

To construct tt, one could choose r as above and then insert the values of {0, 1, . . . , 2™— 1} 
into A in a random order. To simulate the execution of any fixed decision tree T, the 
responses to queries can be made by referring to A; however, we describe an alternate way 
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of responding to the queries in T which is stochastically equivalent to this. In the alternate 
method, the entries of A are determined "on the fly" , as the queries are received. To begin 
with, three items are randomly created: 

• A list V of "new values" , vo, V\, . . . , t>2»-i (the elements of {0,1,..., 2 n — 1} in a random 
order). An access to this list returns the first item, and then removes this item from 
the list (so the next access returns the second item, and so on). 

• A list I of "new indices" , zo, i\, ■ ■ ■ , *2™-i (the elements of {0, 1, . . . , 2 n — 1} in a random 
order). An access to this list returns the first item, and then removes this item from 
the list. 

• A random r G R! . 

The array A is initially empty. Then, whenever a query requesting 7c x (y) is made, the 
following two-stage procedure is carried out to update A. 

1. The value of i such that Ai — y is determined. If y has not yet been inserted into A, 
then it is inserted in the following way. The elements of / are accessed until one occurs 
that corresponds to an i such that Ai has not yet been assigned a value. Then Ai is 
assigned the value y. 

2. The value of the j corresponding to Aj = ir x (Ai) (according to Eq. ||) is determined. 
Then, if Aj has not yet been assigned a value, the elements of V are accessed until a 
value that has not yet appeared in A occurs, and Aj is assigned to that value. 

Finally, the value of Aj is the response to the query. 

The decision tree T contains N branches from every query. However, once V has been 
determined (but independent of / and s), there is always at most one branch possible that 
corresponds to a "new value" from V (i.e. where the query results in accesses to V in Step 2). 
For example, suppose that the very first query is {x,y). Then one possible branch is y (if 
Tr x (y) = y), and the only other possible branch is v' (if n x (y) ^ y), where v' is a value 
accessed from V (specifically, v' = vo if t>o ^ y, and v' = v\ if vq = y). The latter branch 
corresponds to a "new value". We shall consider the path from the root to a leaf that 
follows the new value branch whenever such a branch is possible (if a new value branch is 
not possible then the value of the query is determined by the previous queries, so only one 
branch is possible, and that is the one taken in this path). Call this path the principal path 
of T. 

We now describe a procedure for associating a chain with every query along the principal 
path of T. The chain associated with each query subsumes all the information about tt 
that would be determined up to and including that query, if the principal path were taken 
up to that point. These chains depend on / (as well as V, which determines the principal 
path) and may fail with a certain probability (that we will show to be negligibly small). For 
the first query requesting ir x (y), if the first new address io does not exceed 2 n — 2 2n / 3 , we 
assign the chain of length two of Figure 2; otherwise the process fails. This corresponds 
to 7i x {y) = v'. Note that the head of the chain (y) is in a definite position (i ) in array A, 
determined by V and /, but independent of the value of r. We call i the location of the 
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Figure 2: The chain associated with the first query of the principal path. 

head of the chain. Also, note that, since i < 2 n — 2 2n / 3 < r, both y and v' are in the r-cycle 
of 7r (whatever the value of r is). 

For each subsequent query in the principal path, the chain is updated to include the 
information revealed by this query in the following way. Assume that the chain associated 
with the previous query is of the form in Figure 1 and that il is the location of the head of 
the chain (yi). We consider the case of internal and external queries separately. For internal 
queries, the chain is updated in the natural way, as in the proof of Theorem 1, with the value 
of a possible new node taken from V. The location of the head of the chain remains i'. 

The procedure for external queries is a little more complicated. First, let i" be the next 
element of /. If i" exceeds 2 n — 2 2ra / 3 then the procedure fails. Otherwise, a new node is 
inserted into the chain at a place dependent on the value of i' — i" . If i' — i" > then the 
new node is linked before the head of the chain with a link of weight i' — i", as illustrated 
in Figure 3, and the location of the head of the chain is changed to i". If il — i" < 




Figure 3: First step in updating the chain for an external query requesting 
7T x (y) when %' — i" > 0. 

then the new node is linked after the head of the chain, in an appropriate position so as to 
have weighted distance i" — i! from the head. It is possible that this causes an "overlap" in 
that there is already a node in the chain with weighted distance %" — i' from the head. In 
this event, the process fails. After the node has been inserted into the chain, the query is 
processed exactly as an internal query. 

The procedure of associating chains with queries continues until either the end of the 
principal path is reached or a failure occurs. If t is the depth of T then the probability of 
termination due to failure is bounded above by t2~™/ 3 + t 2 (2 n — 2 2n / 3 )~ 1 (which is o(l) if 

t e o(2"/ 3 )). 

To recap so far, based on V and I (but independent of the choice of r) , a principal path 
from the root until a leaf of decision tree T is determined (with a negligible failure probability 
o(l)). Consider the "final" chain, associated with the last query along the principal path. 
This chain has length k < 2t, and it is completely independent of the choice of r. Moreover, 
since this chain subsumes all the information obtained about the permutation ir, no collision 
occurs whenever an execution of T follows the principal path. 

Now, consider the probability (with respect to the random choice of r G R') of the 
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event that the principal path is not taken (assuming that the final chain has length k). By 
Lemma 6, this event occurs whenever r / Wi + ■ ■ ■ + Wj_i for all i,j G {1,2, ... ,k} with % < j. 
The probability of this is bounded below by 
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which is bounded above | unless 
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From this, Theorem 2 follows. 
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4 Upper bounds 

When m > n + 1, there is a probabilistic procedure that solves the order- finding problem 
with 0(\/2™) queries. The idea is to select X\, x^, . . . , G {0, 1, . . . , 2 n+1 — 1} randomly and 
output the minimum positive X{ — Xj, where i, j G {1,2, ... ,k} and n Xi (yo) = n Xj (y ). The 
probability that that the output is not ord 7r (y ) is bounded above by 2~°( k / 2 "\ There is a 
setting k G 0(\^) that bounds this below any positive constant. 
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